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Abstract 



We present an approach to generalization of practical Identity-Based Encryption 

scheme of [BF01]. In particular we show how the protocol could be used on finite 

modular lattices and as a special case on vector spaces over finite field. The original 

proof of security for this protocol does not hold in this general algebraic structure, thus 

\*) ', this is still a work in progress. 



1 Introduction 

The goal of this work is to investigate the possibility of generalization of practical Identity- 
CH ! Based Encryption scheme of (BF01J into a different algebraic structure. Specifically we use 

finite modular lattices instead of cyclic groups and replace the original pairing on elliptic 
curves with a special pairing on modular lattices. 



2 Preliminaries 

Here we introduce the necessary formalism. 

2.1 Security Model for Identity-Based Encryption 

We review the standard security model for Identity-Based Encryption as can be found in 
[BT0Tlinen06] . 

An IBE scheme consists of four randomized algorithms: Setup, KeyGen, Encrypt, and De- 
crypt. Setup sets the Private Key Generator's (PKG) parameters params and a master key 
master-key. KeyGen is a probabilistic algorithm that generates a private key for an identity 
using master-key. Encrypt encrypts a message, taking an identity and params as input, and 
outputs a ciphertext. Decrypt decrypts a ciphertext for an identity using a private key for 
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that identity. 

Boneh and Franklin define IND-ID-CCA security (indistinguishability under adaptive 
identity and adaptive chosen ciphertext attack) via the following game. 

Setup: The challenger runs Setup, and sends params to the adversary while keeping 
the master key to itself. 

Phase 1: The adversary issues queries qi, . . . ,q m where qi is one of the following: 

• Key-extraction query (/-Dj): the challenger runs Key Gen on IDi and forwards 
the resulting private key to the adversary. 

• Decryption query (ID^Ci): the challenger runs KeyGen on IDi, decrypts C{ 
with the resulting private key, and sends the result to the adversary. 

Adversary can make these queries adaptively, i.e., any query may depend on the 
previous queries as well as their answers. 

Challenge: The adversary submits two equal length plaintexts Mq, M\ G M and 
an identity ID. Obviously, ID must not have appeared in any key generation query 
in Phase 1. The challenger selects uniformly at random a bit b G {0, 1}, obtains 
a ciphertext C = Encrypt(params,ID, M b ), and sends C to the adversary as its 
challenge ciphertext. 

Phase 2: This is identical to Phase 1, except that the adversary may not request a 
private key for ID or the decryption of {ID, C). 

Guess: The adversary outputs a guess b' G {0, 1} for b. The adversary wins if b = b' . 

The advantage of the adversary in attacking the IBE scheme is defined as: 

Adv = | Pr[(6 = b')} - 1/2| (1) 

We call the adversary in the above game an IND-ID-CCA adversary. 



Definition 2.1.1 An IBE system is (t, q ID , q c , e) IND-ID-CCA secure if all t-time IND-ID- 
CCA adversaries making at most qju private key queries and at most qc chosen ciphertext 
queries have advantage at most e in winning the above game. 

IND-ID-CPA security is defined similarly, only with the restriction that the adversary 
cannot make decryption queries. 



Definition 2.1.2 An IBE system is (t,q ID ,e) IND-ID-CPA secure if it is (t,q ID ,0,e) IND- 
ID-CCA secure. 



2.2 Bilinear Maps and Pairings 

We will generalize the standard notion of a bilinear map |BF01tlBB04yGen06] . The standard 
setting is following: 

• G and Gt are two (multiplicative) cyclic groups of prime order p; 

• g is a generator of G. 

Let G and Gt be two groups as above. An (admissible) bilinear map is a map e : Gx G — > Gt 
with the following properties: 

• Bilinearity: for all u, v G G and a, b G Z, we have e(u a , v b ) = e(u, v) ab . 

• Non-degeneracy: e(g,g) ^ 1. 

• Computability: there is an efficient algorithm to compute e(u,v) for any u,v G G 

We say that G is a bilinear group if the group action in G can be computed efficiently and 
there exists a group Gt and an efficiently computable bilinear map e : G x G — > Gt as 
above. Note that e(, ) is symmetric since e(g a ,g b ) = e(g,g) ab = e(g b ,g a ). 

We will call the generalization of the bilinear map a pairing: 

Definition 2.2.1 Let X,Y be finite sets and A be a semigroup acting on X from the left. 
Then a mapping e : X x X —$■ Y is called a pairing on X iff e is bilinear, that means: 

e(axi, Xq) = e(xi, 0x2), for all x%, X2 G X and a G A. 

Note also that we will use the bilinear property in both coordinates: 

e(axi, &X2) = e(xi, 06x2) = e(xi, 6(0x2)) = e(bxx, 0x2). 

2.3 Complexity Assumptions 

Let X, Y be finite sets and A be a semigroup acting on X and Y from the left. We will 
assume the following problems are hard: 

• Discrete Log problem (DLP): p G X, for given (p,ap) determine a. 



• Bilinear Diffie-Hellman (BDH) in (X, Y, e) |BF01j : for given (x,y,ax,bx) find 
e(ax, by), for x, y G X. 

An algorithm A has advantage e in solving BDH in (X, Y, e) if 

Pr[^4(x, y, ax, bx) = e(ax,by)] > e 

where the probability is over the random choice of a, b G A, the random choice of x, y G X, 
and the random bits of A. 



BDH Assumtion. 

We say that the BDH problem is (t, e)-hard in X if no t-time algorithm can solve BDH 
problem with advantage at least e. 

Hardness of BDH. 

The BDH problem in (X, Y, e) is no harder than the Computational Diffie-Hellman problem 
(CDH) in X or Y. The converse is still an open problem: is an algorithm for BDH sufficient 
for solving CDH?. 
The best known algorithm for BDH is to solve DLP in either X or Y. 



2.4 Brief modular lattice theory 

Now we introduce some basic notions of lattice theory, a good reference is the book |Gratz] . 

Definition 2.4.1 A poset (L,<) is called a lattice, if for every finite subset A G L there 

exists a join (least upper bound) \f A and a meet (greatest lower bound) f\A in L. 

For a finite L, we define the least and the greatest element of L respectively as O := f\L 

and I :—\J L. 

For a,b G L, an interval is 

[a, b] := {x G L\a < x < b}. 

An equivalent universal algebraic definition of lattice is 

Definition 2.4.2 An algebra (L, A, V) is called a lattice if L is a nonempty set, A and V 
are binary operations on L, both A and V are idempotent, commutative, and associative, and 
they satisfy the absorption law. 

A note on notation: 

in the rest of the text we will be using symbols + and • instead of more common V, A for 

the two binary operations on a lattice, respectively. 



Definition 2.4.3 A lattice L is called modular if for all a,b,c G L the following holds: 

a<c^>(a + b)-c = a + b-c. (2) 

An example is a normal subgroup lattice of a group is modular. 

Lemma 2.4.4 For a lattice L, the following is equivalent: 

• L is modular; 

• L does not contain the lattice N 5 as a sublattice; 

• for all a,b,c,d G L 

d < b =$> (a • b + c) • d — (a + c • b) • d. 

Definition 2.4.5 A lattice is said to be distributive if it satisfies for all x,y,z G L either 
(and therefore both) of the distributive laws: 

• x • (y + z) — (x • y) + (x • z) 

• x + (y ■ z) = (x + y) • (x + z). 

The following is an easy observation. 

Lemma 2.4.6 Every distributive lattice is modular. 

Examples of distributive lattices include Boolean lattices, totally ordered sets, and the sub- 
group lattices of locally cyclic groups. 

Definition 2.4.7 A complement of a in a lattice L with O and I is an element b G L such 
that 

a ■ b = O and a + b = I. 

A bounded lattice L is complemented if all its elements have complements. 

Remark 2.4.8 Complements may not exist. If L is a non-trivial chain, then no element 
(other than O and I) has a complement. This also shows that if a is a complement of a 
non-trivial element b, then a and b form an antichain. 

In a complemented lattice, there may be more than one complement corresponding to each 
element. 

Definition 2.4.9 Two elements are said to be related, (or perspective^) if they have a com- 
mon complement. 

Remark 2.4.10 // a complemented lattice L is a distributive lattice, then L is uniquely 
complemented (in fact, a Boolean lattice). 
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3 The generalized IBE protocol 

In the following we will present an approach to a generalization of an IBE protocol by Boneh 
and Franklin JBF01] . 

3.1 The Boneh-Franklin protocol on modular lattices 

Definition 3.1.1 Let L be a modular lattice and d e L is fixed. Then the semigroup A : = 
[d, 1] acts on L and the mapping 

e d : L x L -> [0, d], (x,y)^d-{x + y) (3) 

is said to be a lattice pairing. 

It is easy to see that the lattice pairing is indeed a pairing. 

We assume the pairing e and the A-action are both nondegenerate and efficiently computable. 



Definition 3.1.2 Let ¥ q be the field with q elements and n G N. The projective space 
(geometry) of dimension n — 1 and order q is the lattice 

L(F") := {S C ¥ n q \S is a subspace}. (4) 

Subspaces of dimension 1, 2, . . . , n — 1 are referred to as points, lines, . . . , hyperp lanes in 
this geometry. 

The Gaussian coefficients determine the number of subspaces of a given dimension k. The 
formula is 



;i_g«)(l- g «-l)...(l-g»+l-*) 

(5) 



[l-q k )(l-q k - 1 )...(l-q) 



Just for the sake of clarity we take a small example of a lattice L := L(FJj) for some q and 
show the use of the protocol for ID-based encryption devised by Boneh and Franklin in 2001. 
In this case we can use standard geometrical names for our objects. The one, two, three and 
four - dimensional subspaces of the projective space L(¥ ) are called points, lines, planes 
and hyperplanes, respectively. 

There are two users with some identities and a trusted authority (TA) issuing user's private 
keys in the protocol. 

Given L and a fixed line d 6 L, the protocol proceeds as follows: 



Setup: TA chooses a plane P G L, d ^ P, a hyperplane s Gr L, 

d < s, P <£ s, computes a line P pu b :— P ■ s, chooses cryptographic hash 

functions Hi : {0, 1}* — > L and H 2 : L — >■ {0, l} n , where n is the bit 

length of messages. 

The private master key is s and the global public key is P pu b- 

Extract: given a user's public ID G {0, 1}*, compute the user's public 

key Qid = Hi (ID) G L (a plane), d ^ Qid, Qid % s , and the private 

key S ID = s- Q ID . 

Encrypt: given message M, choose a secret hyperplane r G_r L, d < r, 

P i^r, Qtd i~i r, and compute 

C = {r-P,M® H 2 (e d (Q ID ■ r, P pub ))}. 

Decrypt: given the ciphertext C = {U, V}, recover the plaintext 

M = V®H 2 (e d (S ID ,U)). 

To verify the correctness of the protocol just substitute for Sid,U,V and use the property 
of pairing. 

Remark 3.1.3 The protocol does not work for distributive lattices, as 

ed(QiDr, Ps) = d(Q ID r + Ps) = dQ ID r + dPs = Q ID d + Pd, 
which is a public element. 

We can make the following observations: 

• The projective line [0, d] has q + 1 (nontrivial) points. 

• The number of lines of the plane [d, 1] (choice of r, s) is q 2 + q + 1. 

• The requirements d < s and d < r cannot be dropped as we need them for the 
bilinearity of e^. 

• Thus there are only (dims — dime?) unknown dimensions in s and similarly for r. 

• Therefore for practical use it is necessary to consider a projective space with much 
higher dimension. 

• A good choice of a dimension of the element d seems to be n/2 as then both the set of 
hyperplanes containing d (choice of r, s) and the set of elements contained in d (range 
of e<j) are about the same size (and 'large' enough). 



There are several nontrivial possibilities for choosing other elements of the protocol, one such 
choice could be this one: 

• rP, sP, rQio, sQid are lines different from d. 

• rP + sQid is a hyperplane different from r and s. 

• The pairing ed(rP, sQid) = ij'P + sQio)d is a point. 

A general weakness of this protocol is that repeated use of the system enables a user to learn 
about the choice of s. This can be resolved by bounding the number of issued private keys 
for a given master key. 

In the general case of L := L(F"), where n is large enough, we suggest the following choices: 

• The element d is chosen from \n/2\ -dimensional elements of the lattice. 

• The element P is chosen among the elements of dimensions ranging from \n/2\ + 1 to 
n — 3, so that it does not contain d (avoids the sublattice [d, 1]). 

• The secret key s is selected uniformly at random from the elements of dimension n — 1 
(and possibly also of dimension n — 2) that are contained in the sublattice [d, 1]. 

• The hash function Hi maps the user's ID to the lattice elements of dimensions ranging 
from \n/2\ + 1 to n — 2, so that it does not contain d (and is not contained in s). But 
is it necessary to exclude the element P? 

• The secret r is selected uniformly at random from the elements of dimension n — 1 and 
n — 2 that are contained in the sublattice [d, 1] 

• The pairing e^ maps to the sublattice [0, d] (avoiding and d), that has height |_ n /2_|- 

What is missing: proof of hardness of BDH problem in L(F") and investigation of feasibility 
of the pairing. 
This should include 

• a bound on the size of q(n); 

• a good representation of modular lattices (like vector spaces). 



3.2 The special case of a vector space 

In this section we will consider a special case of a finite modular non-distributive lattice of 
subspaces of an n-dimensional vector space V := F" over finite field ¥ q . 

We will represent this vector space and its subspaces in a standard way, i.e. by matrices 
of size m x n over ¥ q for some m. Representing operations of intersection and union of 
subspaces is easy too as there is a basis in every vector space. 

If we choose uniformly at random two vector subspaces V\ and V 2 of V, dimV\ = m' x < n 

and dimV 2 = m' 2 < n, we would like to know the expected value of dim(Vi U V 2 ). 

We can easily compute the expected dimension of intersection of these two random spaces 

E(dim{V t n V 2 )) = E{dimV 1 ) + E(dimV 2 ) - E(dim(V l U V 2 )), (6) 

as the intersection and union of two vector spaces is also a vector space and expectation is 
a linear function. 

Let Mi and M 2 be two matrices created by randomly sampling mi and m 2 vectors of length 
n respectively (their ranks might be smaller than mi and m 2 ). These matrices will represent 
the random subspaces V% and V 2 . We are interested in the dimension of the union of these 
two subspaces, thus we join the two matrices and investigate the rank of the matrix of size 
m x n, where m = mi + m 2 . 

In the same way as did Linial and Weitz in |LW00] . we denote the collection of m x n 
matrices over F q by M m ^ n ^ q) and this same set with a uniform distribution is the probability 
space Q m ,n,q- The rank of matrices can be seen as an integer- valued random variable on 

The rank distribution is well known: 

Lemma 3.2.1 Let < r < min{m, n}, m < n and M be a matrix from Vt m ^ n ^ q . 
Then 



r-l 



Pr(rankM = r) 



1 y-r (1 -q % - n )(l-q % 



u {L -\! { ;: q ' m 



Q {n-r)(m-r) j. j. ) — 

H j=0 '' 



In the special case when r = m, the matrix must be regular, so every newly added vector is 
independent from the linear span of the previously added vectors. 



m— 1 

i— n\ 



Pr(rankM = m) = 1 J (1 — q 



i=0 
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More details behind the following valuable observations can be found in Linial and Weitz 
[LWOOj : 

• A randomly chosen m x n matrix M has almost surely full rank (i.e. min{m,n}) iff 
\n — m\ is unbounded (grows to infinity with n). 

• If \n — m\ is bounded, then Pr (rankM < r) — > iff r < min{m, n} — w(l), i.e. almost 
full rank is almost certain. 

Here "almost surely" means that the probability grows to 1 exponentially with increasing n. 

The description of the B-F protocol for the special case of a vector space with some concrete 
choices of sizes of elements follows. 

Setup: Given n-dimensional vector space over F q , choose uniformly at random 
|~5n/16] vectors to form the parameter d. For P randomly choose \n/2] vectors, to 
form S take the vectors of d and add [9n/16] random vectors. 

Extract: For a given ID e {0, 1}*, choose \n/2] vectors to form Qjo and secret R 
will be formed in the same way as S. Set the private key to S ■ Qm- 

Encrypt &c Decrypt: Same as before. Analysis follows. 

According to the observation, with high probability all these subspaces have full dimension. 

Then the hard problem in the protocol is: 

for given (Qm, P P ub, P ■ R,P), find e d (Q ID ■ R, P pub ). 

This problem is not harder than finding R, S given P, Qm, Qm ■ R,P ■ S, which could be 
seen as a variant of the discrete logarithm problem in vector spaces. But the exact relation 
to the original Billinear Diffie Hellman problem on elliptic curves is unclear. 

The dimensions of Qm • R and P pu b = P ■ S is with high probability equal to |"7n/8] + 
\n/2] — n = \3n/8] . Thus with high probability the dimension of Qm • R + Ppub is equal to 
|~3n/4~|. And so finally the dimension of td(QiD • R,P P ub) is with high probability equal to 
[n/16]. 

We can easily compute the number of spaces that contain some fixed space as a subspace 
due to the duality of the structure and using Gaussian coefficients. 

The number of vector spaces of dimension |~3n/4] that contain a fixed space of dimen- 
sion \n/2] is [r/J] > Q n ^ 16 - And the number of subspaces of dimension |~3n/4] is 
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\ n 1 > ^Vie 
Lr3n/4iJ„-y 



3.3 In a search for security proof 

The reason why we cannot use the same proof technique as in |BF01j is simple: in a vector 
space we are missing the multiplicative group structure. 

The original Boneh- Franklin proof of IND-ID-CPA security of the identity based protocol is 
done in two steps. 

The first step is to show that if an adversary can break the ID based protocol with some 
advantage e, then there is an algorithm that can break a standard public key protocol (called 
BasicPub in |BF01] ) with advantage -^- — r, where qE is the number of queries to the ran- 
dom oracle used for issuing public keys. This standard protocol is similar to the ID based 
one, just the queries for private keys are removed. 

The second step is to show that if an adversary has some advantage against the public key 
protocol (without identity queries for public keys) then there is an algorithm that solves 
BDH problem with some non-trivial advantage. 

The first part of the proof actually shows that private key extraction queries do not help the 

adversary. It does that by constructing a table that substitutes the hash function answers 

for these queries. But unfortunately, it relies on the existence of inverse elements in groups 

which we cannot get in a vector space. 

Concretely when we simulate the first hash function we output b ■ Qjd as the public key for 

the identity on which the adversary wants to be challenged. 

We want to decrypt C = {U,V}, thus we compute an inverse of b in the group, and send 

the adversary the ciphertext C = {b~ l ■ U, V}. 

We observe that decryption of C using private key s • b ■ Qjd is the same as decryption of C 

using s ■ Q ID : 

e(r 1 -U,s-b- Q ID ) = e{U, s ■ b~ x ■ b ■ Q ID ) = e(U, s ■ Q ID ). 

In the second part, we have to simulate the other hash function used in the ID-based protocol. 
But this function maps from a group to {0, l} n and thus we can easily replace the group 
with the vector space, as we are not using the structural properties of a group. 
As IND-ID-CCA security is stronger than IND-ID-CPA security, this proof will not work for 
it either. 

As we do not have the advantage of multiplicative group structure in a vector space, we 
cannot use the standard proof technique. 
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3.4 Another approach: direct product L n 

Another approach to this problem might be to take a small (possibly the smallest) lattice 
L (vector space) for which the aforementioned protocol is non-trivial and then do the direct 
product of sufficiently large number of copies of this lattice. This construction will give us 
an exponentially large secret key. 



4 Conclusions 

We failed to properly generalize the original Boneh- Franklin protocol to the case of modular 
lattices. The security proof of the original protocol depends on the multiplicative group 
structure which we are loosing when generalising to modular lattices. One possible way to 
proceed might be to use the direct product L n of n small lattices L for which is the protocol 
non-trivial. 



References 

[BB04] Dan Boneh and Xavier Boyen. Efficient selective-id secure identity-based encryption 
without random oracles. 3027:223-238, 2004. 

[BF01] Dan Boneh and Matt Franklin. Identity-based encryption from the weil pairing. 
2139:213-229, 2001. 

[Gen06] Craig Gentry. Practical identity-based encryption without random oracles. 
4004:445-464, 2006. 

[Gratz] George Gratzer. General Lattice Theory. Birkhauser Basel. 1996. 

[LW00] Nathan Linial and Dror Weitz. Random vectors of bounded weight and their linear 
dependencies. 2000. 



12 



